Documents of Doom - Infecting macOS via Office Macros

Explore a comprehensive analysis of macro-based attacks targeting Apple's macOS in this 28-minute conference talk from the Hack In The Box Security Conference. Delve into recent exploits, focusing on macOS-specific code and payloads. Uncover a novel exploit chain starting with CVE-2019-1457, involving a new sandbox escape and bypassing Apple's notarization requirements. Learn how simply opening a malicious Office document can persistently infect a fully-patched macOS Catalina system without additional user interaction. Gain insights from Patrick Wardle, a Principle Security Researcher at Jamf and founder of Objective-See, as he shares his expertise in macOS security. Follow the presentation's structure, covering an introduction to macros, extraction techniques, the macro chain, persistence methods, and concluding remarks.

Introduction
What is a macro
How to extract macros
Macro chain
Persistence
Conclusion